Enhance S3 to support EC2 instance roles

[pcolmer]

Is your feature request related to a problem? Please describe.
At the moment, when you configure NC to support S3 as primary object storage, you need to specify the access key ID and secret access key. This, in turn, requires the creation of a user on IAM. The drawback to this is that the keys get stale over time which becomes a security vulnerability.

Describe the solution you'd like
If NC is running on an AWS EC2 instance, it should be possible to use the instance role to gain the appropriate credentials. The code could try to use this mechanism automatically if config.php is missing the keys.

https://docs.aws.amazon.com/aws-sdk-php/v2/guide/credentials.html#instance-profile-credentials

Describe alternatives you've considered
Creating a user and then manually rotating the keys regularly but this requires the config file to get updated and NC to be restarted.

[kesselb]

<?php

require_once '3rdparty/autoload.php';

use Aws\Credentials\CredentialProvider;
use Aws\Credentials\CredentialsInterface;

/** @var callable $credentialsProvider */
$credentialsProvider = CredentialProvider::defaultProvider();
/** @var CredentialsInterface $credentials */
$credentials = $credentialsProvider()->wait();

$CONFIG = [
	'objectstore' => array(
		'class' => \OC\Files\ObjectStore\S3::class,
		'arguments' => array(
			'bucket' => 'nextcloud',
			'autocreate' => true,
			'key' => $credentials->getAccessKeyId(),
			'secret' => $credentials->getSecretKey(),
			'hostname' => 'localhost',
			'port' => 9600,
			'use_ssl' => false,
			'region' => 'us-east-1',
			// required for some non Amazon S3 implementations
			'use_path_style' => true
		),
	),
];

Using above file as config/objectstore.config.php should work. It's a bit hacky because we need to load the autoloader for external libraries but then we can fetch the credentials from the identity provider. I have not tested it with a ec2 instance but the code is called at the right time ;)

[kesselb]

But a flag like 'useCredentialProvider' => true, might be easier.

[pcolmer]

@kesselb thank you very much for providing that config snippet.

Apart from putting that file into the config directory, do I need to do anything to tell NC to use it? I've commented out the objectstore block in config/config.php but now NC gives me errors when I try to access the main page:

{
  "reqId": "yEwiJelsN5HFBiHo57rf",
  "level": 3,
  "time": "2020-03-05T13:44:57+00:00",
  "remoteAddr": "81.128.185.34",
  "user": "ocadmin",
  "app": "core",
  "method": "GET",
  "url": "/nextcloud/index.php/apps/files/",
  "message": {
    "Exception": "OCP\\Files\\NotPermittedException",
    "Message": "Could not create path",
    "Code": 0,
    "Trace": [
      {
        "file": "/var/www/nextcloud/lib/private/Files/SimpleFS/SimpleFolder.php",
        "line": 84,
        "function": "newFile",
        "class": "OC\\Files\\Node\\Folder",
        "type": "->",
        "args": [
          "merged-template-prepend.js"
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/Template/JSCombiner.php",
        "line": 179,
        "function": "newFile",
        "class": "OC\\Files\\SimpleFS\\SimpleFolder",
        "type": "->",
        "args": [
          "merged-template-prepend.js"
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/Template/JSCombiner.php",
        "line": 105,
        "function": "cache",
        "class": "OC\\Template\\JSCombiner",
        "type": "->",
        "args": [
          "/var/www/nextcloud/core/js",
          "merged-template-prepend.js",
          {
            "__class__": "OC\\Files\\SimpleFS\\SimpleFolder"
          }
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/Template/JSResourceLocator.php",
        "line": 115,
        "function": "process",
        "class": "OC\\Template\\JSCombiner",
        "type": "->",
        "args": [
          "/var/www/nextcloud",
          "core/js/merged-template-prepend.json",
          "core"
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/Template/JSResourceLocator.php",
        "line": 71,
        "function": "cacheAndAppendCombineJsonIfExist",
        "class": "OC\\Template\\JSResourceLocator",
        "type": "->",
        "args": [
          "/var/www/nextcloud",
          "core/js/merged-template-prepend.json"
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/Template/ResourceLocator.php",
        "line": 78,
        "function": "doFind",
        "class": "OC\\Template\\JSResourceLocator",
        "type": "->",
        "args": [
          "js/merged-template-prepend"
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/TemplateLayout.php",
        "line": 346,
        "function": "find",
        "class": "OC\\Template\\ResourceLocator",
        "type": "->",
        "args": [
          [
            "core/js/dist/main",
            "js/merged-template-prepend",
            "search/js/search",
            "core/l10n/en",
            "js/backgroundjobs",
            "files_pdfviewer/l10n/en",
            "files_pdfviewer/js/previewplugin",
            "files_sharing/l10n/en",
            "files_sharing/js/dist/main",
            "files_videoplayer/l10n/en",
            "files_videoplayer/js/main",
            "notifications/l10n/en",
            "notifications/js/notifications",
            "search/l10n/en",
            "search/js/searchprovider",
            "js/files/fileinfo",
            "js/files/client",
            "files/l10n/en",
            "files/js/merged-index",
            "files_sharing/js/dist/collaboration",
            "spreed/l10n/en",
            "spreed/js/collections",
            "text/l10n/en",
            "text/js/files",
            "federatedfilesharing/l10n/en",
            "federatedfilesharing/js/external",
            "files_rightclick/l10n/en",
            "files_rightclick/js/script",
            "files_rightclick/js/files",
            "onlyoffice/l10n/en",
            "onlyoffice/js/desktop",
            "onlyoffice/js/main",
            "recommendations/l10n/en",
            "recommendations/js/main",
            "js/dist/systemtags",
            "systemtags/l10n/en",
            "systemtags/js/systemtags",
            "comments/l10n/en",
            "comments/js/comments",
            "files_versions/l10n/en",
            "files_versions/js/files_versions",
            "files_sharing/js/dist/files_sharing",
            "files_sharing/js/dist/additionalScripts",
            "viewer/l10n/en",
            "viewer/js/viewer",
            "files/js/dist/sidebar",
            "files/js/fileinfomodel",
            "activity/l10n/en",
            "activity/js/activity-sidebar",
            "files_sharing/js/dist/files_sharing_tab",
            "spreed/js/talk-files-sidebar",
            "spreed/js/talk-files-sidebar-loader",
            "files_trashbin/l10n/en",
            "files_trashbin/js/files_trashbin",
            "firstrunwizard/l10n/en",
            "firstrunwizard/js/about"
          ]
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/TemplateLayout.php",
        "line": 174,
        "function": "findJavascriptFiles",
        "class": "OC\\TemplateLayout",
        "type": "::",
        "args": [
          [
            "core/js/dist/main",
            "js/merged-template-prepend",
            "search/js/search",
            "core/l10n/en",
            "js/backgroundjobs",
            "files_pdfviewer/l10n/en",
            "files_pdfviewer/js/previewplugin",
            "files_sharing/l10n/en",
            "files_sharing/js/dist/main",
            "files_videoplayer/l10n/en",
            "files_videoplayer/js/main",
            "notifications/l10n/en",
            "notifications/js/notifications",
            "search/l10n/en",
            "search/js/searchprovider",
            "js/files/fileinfo",
            "js/files/client",
            "files/l10n/en",
            "files/js/merged-index",
            "files_sharing/js/dist/collaboration",
            "spreed/l10n/en",
            "spreed/js/collections",
            "text/l10n/en",
            "text/js/files",
            "federatedfilesharing/l10n/en",
            "federatedfilesharing/js/external",
            "files_rightclick/l10n/en",
            "files_rightclick/js/script",
            "files_rightclick/js/files",
            "onlyoffice/l10n/en",
            "onlyoffice/js/desktop",
            "onlyoffice/js/main",
            "recommendations/l10n/en",
            "recommendations/js/main",
            "js/dist/systemtags",
            "systemtags/l10n/en",
            "systemtags/js/systemtags",
            "comments/l10n/en",
            "comments/js/comments",
            "files_versions/l10n/en",
            "files_versions/js/files_versions",
            "files_sharing/js/dist/files_sharing",
            "files_sharing/js/dist/additionalScripts",
            "viewer/l10n/en",
            "viewer/js/viewer",
            "files/js/dist/sidebar",
            "files/js/fileinfomodel",
            "activity/l10n/en",
            "activity/js/activity-sidebar",
            "files_sharing/js/dist/files_sharing_tab",
            "spreed/js/talk-files-sidebar",
            "spreed/js/talk-files-sidebar-loader",
            "files_trashbin/l10n/en",
            "files_trashbin/js/files_trashbin",
            "firstrunwizard/l10n/en",
            "firstrunwizard/js/about"
          ]
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/legacy/template.php",
        "line": 184,
        "function": "__construct",
        "class": "OC\\TemplateLayout",
        "type": "->",
        "args": [
          "error",
          ""
        ]
      },
      {
        "file": "/var/www/nextcloud/lib/private/Template/Base.php",
        "line": 132,
        "function": "fetchPage",
        "class": "OC_Template",
        "type": "->",
        "args": []
      },
      {
        "file": "/var/www/nextcloud/lib/private/legacy/template.php",
        "line": 333,
        "function": "printPage",
        "class": "OC\\Template\\Base",
        "type": "->",
        "args": []
      },
      {
        "file": "/var/www/nextcloud/index.php",
        "line": 65,
        "function": "printExceptionErrorPage",
        "class": "OC_Template",
        "type": "::",
        "args": [
          {
            "__class__": "OCP\\Files\\NotPermittedException"
          },
          500
        ]
      }
    ],
    "File": "/var/www/nextcloud/lib/private/Files/Node/Folder.php",
    "Line": 185,
    "CustomMessage": "--"
  },
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4063.0 Safari/537.36 Edg/82.0.439.1",
  "version": "18.0.1.3"
}

[pcolmer]

Hmm ... it looks like there may be a problem with the suggested code. If I uncomment the objectstore block with the hardcoded access details, I still have a broken NC service until I rename the new file out of the way. That suggests that NC is trying to use that file but not getting what it needs.

I've installed the AWS CLI on the server and confirmed that the implicit instance role is granting the permissions I need, so the instance role itself is working.

[kesselb]

Hmm :( You adjusted the arguments to your needs? I just copied my local version (that was configured for minio).

[pcolmer]

Yes, I did but thanks for checking.

I changed the bucket name and removed hostname, port, use_ssl and use_path_style.

Is there any debugging I can add to try and see what is happening/going wrong?

[c-reiter]

I think I have a similar problem as @pcolmer. After building a working setup with Nextcloud 17 and Minio as primary storage a few months ago, yesterday I tried to do another setup with Minio and Nextcloud 18.0.3 with these config settings:

'objectstore' =>
array (
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => 
    array (
      'bucket' => 'censored',
      'autocreate' => false,
      'key' => 'censored',
      'secret' => 'censored',
      'hostname' => 'localhost',
      'port' => 9000,
      'use_ssl' => false,
      'use_path_style' => true,
      'region' => 'us-east-1',
    ),
  ),

which, when first opening the NC url in the browser lead to the Minio error
Error: b2_create_bucket: 400: Bucket name is already in use (which doesn't make sense, as I set autocreate to false in the nc config)

and also lead to the NC error:

{
    "reqId": "TkN22M91r0eTahkCvYHq",
    "level": 3,
    "time": "2020-04-11T11:38:49+00:00",
    "remoteAddr": "censored",
    "user": "--",
    "app": "core",
    "method": "GET",
    "url": "/login",
    "message": {
        "Exception": "OCP\\Files\\NotPermittedException",
        "Message": "Could not create path",
        "Code": 0,
        "Trace": [
            {
                "file": "/var/www/nextcloud/lib/private/Files/SimpleFS/SimpleFolder.php",
                "line": 84,
                "function": "newFile",
                "class": "OC\\Files\\Node\\Folder",
                "type": "->",
                "args": [
                    "merged-template-prepend.js"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/JSCombiner.php",
                "line": 179,
                "function": "newFile",
                "class": "OC\\Files\\SimpleFS\\SimpleFolder",
                "type": "->",
                "args": [
                    "merged-template-prepend.js"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/JSCombiner.php",
                "line": 105,
                "function": "cache",
                "class": "OC\\Template\\JSCombiner",
                "type": "->",
                "args": [
                    "/var/www/nextcloud/core/js",
                    "merged-template-prepend.js",
                    {
                        "__class__": "OC\\Files\\SimpleFS\\SimpleFolder"
                    }
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/JSResourceLocator.php",
                "line": 115,
                "function": "process",
                "class": "OC\\Template\\JSCombiner",
                "type": "->",
                "args": [
                    "/var/www/nextcloud",
                    "core/js/merged-template-prepend.json",
                    "core"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/JSResourceLocator.php",
                "line": 71,
                "function": "cacheAndAppendCombineJsonIfExist",
                "class": "OC\\Template\\JSResourceLocator",
                "type": "->",
                "args": [
                    "/var/www/nextcloud",
                    "core/js/merged-template-prepend.json"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/ResourceLocator.php",
                "line": 78,
                "function": "doFind",
                "class": "OC\\Template\\JSResourceLocator",
                "type": "->",
                "args": [
                    "js/merged-template-prepend"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/TemplateLayout.php",
                "line": 346,
                "function": "find",
                "class": "OC\\Template\\ResourceLocator",
                "type": "->",
                "args": [
                    [
                        "core/js/dist/main",
                        "js/merged-template-prepend",
                        "search/js/search",
                        "core/l10n/de_DE",
                        "js/backgroundjobs",
                        "files_sharing/l10n/de_DE",
                        "files_sharing/js/dist/main",
                        "files_pdfviewer/l10n/en",
                        "files_pdfviewer/js/previewplugin",
                        "files_videoplayer/l10n/en",
                        "files_videoplayer/js/main",
                        "search/l10n/de_DE",
                        "search/js/searchprovider",
                        "js/files/fileinfo",
                        "js/files/client",
                        "core/js/dist/login"
                    ]
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/TemplateLayout.php",
                "line": 174,
                "function": "findJavascriptFiles",
                "class": "OC\\TemplateLayout",
                "type": "::",
                "args": [
                    [
                        "core/js/dist/main",
                        "js/merged-template-prepend",
                        "search/js/search",
                        "core/l10n/de_DE",
                        "js/backgroundjobs",
                        "files_sharing/l10n/de_DE",
                        "files_sharing/js/dist/main",
                        "files_pdfviewer/l10n/en",
                        "files_pdfviewer/js/previewplugin",
                        "files_videoplayer/l10n/en",
                        "files_videoplayer/js/main",
                        "search/l10n/de_DE",
                        "search/js/searchprovider",
                        "js/files/fileinfo",
                        "js/files/client",
                        "core/js/dist/login"
                    ]
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/legacy/template.php",
                "line": 184,
                "function": "__construct",
                "class": "OC\\TemplateLayout",
                "type": "->",
                "args": [
                    "error",
                    ""
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/Base.php",
                "line": 132,
                "function": "fetchPage",
                "class": "OC_Template",
                "type": "->",
                "args": []
            },
            {
                "file": "/var/www/nextcloud/lib/private/legacy/template.php",
                "line": 333,
                "function": "printPage",
                "class": "OC\\Template\\Base",
                "type": "->",
                "args": []
            },
            {
                "file": "/var/www/nextcloud/index.php",
                "line": 65,
                "function": "printExceptionErrorPage",
                "class": "OC_Template",
                "type": "::",
                "args": [
                    {
                        "__class__": "OCP\\Files\\NotPermittedException"
                    },
                    500
                ]
            }
        ],
        "File": "/var/www/nextcloud/lib/private/Files/Node/Folder.php",
        "Line": 185,
        "CustomMessage": "--"
    },
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36",
    "version": "18.0.3.0"
}

@kesselb do you have any idea what the problem could be here? What minio and nextcloud versions are you running? Thanks a lot!

[cinghaman]

I think I have a similar problem as @pcolmer. After building a working setup with Nextcloud 17 and Minio as primary storage a few months ago, yesterday I tried to do another setup with Minio and Nextcloud 18.0.3 with these config settings:

'objectstore' =>
array (
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => 
    array (
      'bucket' => 'censored',
      'autocreate' => false,
      'key' => 'censored',
      'secret' => 'censored',
      'hostname' => 'localhost',
      'port' => 9000,
      'use_ssl' => false,
      'use_path_style' => true,
      'region' => 'us-east-1',
    ),
  ),

which, when first opening the NC url in the browser lead to the Minio error
Error: b2_create_bucket: 400: Bucket name is already in use (which doesn't make sense, as I set autocreate to false in the nc config)

and also lead to the NC error:

{
    "reqId": "TkN22M91r0eTahkCvYHq",
    "level": 3,
    "time": "2020-04-11T11:38:49+00:00",
    "remoteAddr": "censored",
    "user": "--",
    "app": "core",
    "method": "GET",
    "url": "/login",
    "message": {
        "Exception": "OCP\\Files\\NotPermittedException",
        "Message": "Could not create path",
        "Code": 0,
        "Trace": [
            {
                "file": "/var/www/nextcloud/lib/private/Files/SimpleFS/SimpleFolder.php",
                "line": 84,
                "function": "newFile",
                "class": "OC\\Files\\Node\\Folder",
                "type": "->",
                "args": [
                    "merged-template-prepend.js"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/JSCombiner.php",
                "line": 179,
                "function": "newFile",
                "class": "OC\\Files\\SimpleFS\\SimpleFolder",
                "type": "->",
                "args": [
                    "merged-template-prepend.js"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/JSCombiner.php",
                "line": 105,
                "function": "cache",
                "class": "OC\\Template\\JSCombiner",
                "type": "->",
                "args": [
                    "/var/www/nextcloud/core/js",
                    "merged-template-prepend.js",
                    {
                        "__class__": "OC\\Files\\SimpleFS\\SimpleFolder"
                    }
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/JSResourceLocator.php",
                "line": 115,
                "function": "process",
                "class": "OC\\Template\\JSCombiner",
                "type": "->",
                "args": [
                    "/var/www/nextcloud",
                    "core/js/merged-template-prepend.json",
                    "core"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/JSResourceLocator.php",
                "line": 71,
                "function": "cacheAndAppendCombineJsonIfExist",
                "class": "OC\\Template\\JSResourceLocator",
                "type": "->",
                "args": [
                    "/var/www/nextcloud",
                    "core/js/merged-template-prepend.json"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/ResourceLocator.php",
                "line": 78,
                "function": "doFind",
                "class": "OC\\Template\\JSResourceLocator",
                "type": "->",
                "args": [
                    "js/merged-template-prepend"
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/TemplateLayout.php",
                "line": 346,
                "function": "find",
                "class": "OC\\Template\\ResourceLocator",
                "type": "->",
                "args": [
                    [
                        "core/js/dist/main",
                        "js/merged-template-prepend",
                        "search/js/search",
                        "core/l10n/de_DE",
                        "js/backgroundjobs",
                        "files_sharing/l10n/de_DE",
                        "files_sharing/js/dist/main",
                        "files_pdfviewer/l10n/en",
                        "files_pdfviewer/js/previewplugin",
                        "files_videoplayer/l10n/en",
                        "files_videoplayer/js/main",
                        "search/l10n/de_DE",
                        "search/js/searchprovider",
                        "js/files/fileinfo",
                        "js/files/client",
                        "core/js/dist/login"
                    ]
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/TemplateLayout.php",
                "line": 174,
                "function": "findJavascriptFiles",
                "class": "OC\\TemplateLayout",
                "type": "::",
                "args": [
                    [
                        "core/js/dist/main",
                        "js/merged-template-prepend",
                        "search/js/search",
                        "core/l10n/de_DE",
                        "js/backgroundjobs",
                        "files_sharing/l10n/de_DE",
                        "files_sharing/js/dist/main",
                        "files_pdfviewer/l10n/en",
                        "files_pdfviewer/js/previewplugin",
                        "files_videoplayer/l10n/en",
                        "files_videoplayer/js/main",
                        "search/l10n/de_DE",
                        "search/js/searchprovider",
                        "js/files/fileinfo",
                        "js/files/client",
                        "core/js/dist/login"
                    ]
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/legacy/template.php",
                "line": 184,
                "function": "__construct",
                "class": "OC\\TemplateLayout",
                "type": "->",
                "args": [
                    "error",
                    ""
                ]
            },
            {
                "file": "/var/www/nextcloud/lib/private/Template/Base.php",
                "line": 132,
                "function": "fetchPage",
                "class": "OC_Template",
                "type": "->",
                "args": []
            },
            {
                "file": "/var/www/nextcloud/lib/private/legacy/template.php",
                "line": 333,
                "function": "printPage",
                "class": "OC\\Template\\Base",
                "type": "->",
                "args": []
            },
            {
                "file": "/var/www/nextcloud/index.php",
                "line": 65,
                "function": "printExceptionErrorPage",
                "class": "OC_Template",
                "type": "::",
                "args": [
                    {
                        "__class__": "OCP\\Files\\NotPermittedException"
                    },
                    500
                ]
            }
        ],
        "File": "/var/www/nextcloud/lib/private/Files/Node/Folder.php",
        "Line": 185,
        "CustomMessage": "--"
    },
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36",
    "version": "18.0.3.0"
}

@kesselb do you have any idea what the problem could be here? What minio and nextcloud versions are you running? Thanks a lot!

Hey, how I got it to work was,
did a normal NC install, enabled the external storage S3 option made the connection tested it worked and created a bucket, I then went ahead and created a bucket.config.php file and added just the bucket object-storage info (and yes the auto-create false did not work and I had to create a new bucket through object-storage), and in config.php file, change install from true to false and on the command line run the occ: Maintainance command and it got working perfectly.
I am on 18.0.3 version and directly connecting to my S3

[c-reiter]

Okay so I found out that it's a combination of different issues. Following the guide at https://autoize.ch/minio-as-nextcloud-primary-storage/ (also mentioned in #288 ) seemed promising, as another guide by autoize helped me with some issues on nc 17 a few months ago.

The Error: b2_create_bucket: 400: Bucket name is already in use error persisted, so I tried switching to an older minio version which made it work! (Didn't test it for files larger than 10mb yet as I haven't yet worked out how to setup the security module via cli)

In newer versions, minio added a cache for list_buckets requests to decrease b2 costs and I believe this could be a part of the problem.

I'll take a look into the minio issues to hopefully find a fix to use nc18 with the latest minio version.
Thanks a lot for your tips @cinghaman

[kesselb]

I think I have a similar problem as @pcolmer. After building a working setup with Nextcloud 17 and Minio as primary storage a few months ago

@c-reiter You don't have a similar problem. That enhancement request is about reading the credentials for S3 from a EC2 instance profile. It's not about B2 or Minio. If you found a reproducible bug feel free to create a new issue or use https://help.nextcloud.com for questions in general but do not spam unrelated issues with your problems.

[c-reiter]

@kesselb I'm sorry to have caused any inconvenience, I thought that the problems were related because of the "OCP\Files\NotPermittedException" from Nextcloud. It was never my intention to spam. Thank's for telling me the mistake

[cuppett]

<?php

require_once '3rdparty/autoload.php';

use Aws\Credentials\CredentialProvider;
use Aws\Credentials\CredentialsInterface;

/** @var callable $credentialsProvider */
$credentialsProvider = CredentialProvider::defaultProvider();
/** @var CredentialsInterface $credentials */
$credentials = $credentialsProvider()->wait();

$CONFIG = [
	'objectstore' => array(
		'class' => \OC\Files\ObjectStore\S3::class,
		'arguments' => array(
			'bucket' => 'nextcloud',
			'autocreate' => true,
			'key' => $credentials->getAccessKeyId(),
			'secret' => $credentials->getSecretKey(),
			'hostname' => 'localhost',
			'port' => 9600,
			'use_ssl' => false,
			'region' => 'us-east-1',
			// required for some non Amazon S3 implementations
			'use_path_style' => true
		),
	),
];

Using above file as config/objectstore.config.php should work. It's a bit hacky because we need to load the autoloader for external libraries but then we can fetch the credentials from the identity provider. I have not tested it with a ec2 instance but the code is called at the right time ;)

This won't work as it doesn't use the session token. Also unclear how long these params are used (will have to take into account the expiration also).

$> curl 169.254.169.254/latest/meta-data/identity-credentials/ec2/securit-credentials/ec2-instance/

  "Code" : "Success",
  "LastUpdated" : "2020-05-09T11:51:11Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIA...NWN",
  "SecretAccessKey" : "66MOR...oO00L",
  "Token" : "IQoJb3JpZ2luX2...G1w4=",
  "Expiration" : "2020-05-09T17:59:44Z"
}```